Risk Management Committee (Regulation 21)

Regulation 21 of the SEBI (Listing Obligations and Disclosure Requirements) Regulations, 2015 takes risk out of the realm of the annual boardroom platitude and turns it into a standing, board-level institution. It commands the board of directors of larger listed entities to constitute a dedicated Risk Management Committee (RMC), prescribes who must sit on it, how often it must meet, what quorum it must carry, and through Part D of Schedule II hard-wires a non-negotiable charter of functions ranging from financial and operational risk to ESG and cyber security. This chapter unpacks the text of Regulation 21 sub-regulation by sub-regulation, traces its evolution from the Kotak Committee recommendations, situates it against the audit-committee architecture and the Companies Act, and draws on the Supreme Court's jurisprudence on director oversight to explain why a paper committee will not discharge the duty the regulation imposes.

Why a Board-Level Risk Committee At All

Risk is the price of enterprise, but unsupervised risk is the cause of corporate collapse. The cautionary tale that haunts Indian corporate governance is Satyam — a company with a fully constituted board, marquee independent directors and an audit committee, yet a multi-thousand-crore fraud running underneath it undetected. The lesson regulators drew was structural: the board cannot meaningfully oversee enterprise risk in the margins of quarterly results meetings; it needs a standing committee whose entire reason for existence is to map, monitor and mitigate the risks that could imperil the entity.

The Supreme Court had said as much, in a different vocabulary, decades earlier. In Official Liquidator, Supreme Bank Ltd. v. P.A. Tendolkar (1973) 1 SCC 602, the Court held that a director cannot shut his eyes to what must be obvious, nor escape liability by pleading ignorance of mismanagement he had the means to detect; the duty of care obliges a director to exercise reasonable supervision over the affairs entrusted to the board. Regulation 21 operationalises that duty for the modern listed entity. For the broader governance scaffolding into which this fits, see our chapter on board of directors composition.

Legislative History: From Kotak Committee to the 2021 Expansion

Regulation 21 has been progressively widened. The corporate-governance committee chaired by Uday Kotak, which reported in October 2017, recommended that the risk-management mandate be deepened and extended beyond the small band of the largest companies. SEBI acted through the SEBI (LODR) (Amendment) Regulations, 2018 (notified 9 May 2018), extending the obligation to constitute an RMC from the top 100 listed entities to the top 500, and requiring the committee to meet at least once a year.

The decisive overhaul came with the SEBI (LODR) (Second Amendment) Regulations, 2021 (notified 5 May 2021). This widened applicability to the top 1000 listed entities by market capitalisation, prescribed a minimum composition and quorum, mandated at least two meetings a year with a 180-day cap on the gap, introduced the requirement of a board-member chairperson, and most importantly inserted a binding charter of functions in Part D of Schedule II. A subsequent SEBI (LODR) (Second Amendment) Regulations, 2023 (notified 14 June 2023) relaxed the meeting-gap ceiling from 180 days to 210 days. The committee framework therefore sits alongside the older audit committee regime, sharing oversight of internal controls but with a distinct, forward-looking risk remit.

Who Must Constitute the Committee: Applicability

Regulation 21 does not apply to every listed entity. Sub-regulation (5) confines the core obligation to the top 1000 listed entities, determined on the basis of market capitalisation as at the end of the immediately preceding financial year. The cohort is therefore dynamic: an entity that climbs into the top 1000 must constitute the committee, and the membership of the cohort is reassessed each year against fresh market-capitalisation rankings.

The obligation was subsequently extended to High Value Debt Listed Entities (HVDLEs) — entities with only listed non-convertible debt securities (and no listed equity) above a prescribed outstanding value. That threshold was originally Rs. 500 crore and was raised to Rs. 1000 crore by the 2025 amendments to the listing regulations, narrowing the band of debt-only issuers caught by the corporate-governance chapter. Entities outside these cohorts are not compelled to constitute an RMC under Regulation 21, though many do so voluntarily to satisfy the Companies Act's risk-policy expectations discussed below.

Composition of the Committee

Sub-regulation (1) requires the board of directors to constitute a Risk Management Committee. Sub-regulation (2) prescribes the minimum architecture: the committee shall have minimum three members, with a majority of them being members of the board of directors, including at least one independent director. In the case of a listed entity having outstanding superior-voting-rights (SR) equity shares, at least two-thirds of the committee must comprise independent directors — a heightened safeguard reflecting the entrenched control such structures confer on founders.

Crucially, the regulation permits members of the senior management of the company to be members of the committee, but they cannot outnumber the directors; the majority-board requirement ensures the committee remains a board organ rather than a management talking-shop. This deliberate blend — directors providing oversight and accountability, senior executives bringing operational granularity — mirrors the logic the Supreme Court applied to director responsibility in N. Narayanan v. Adjudicating Officer, SEBI (2013) 12 SCC 152, where it rejected a whole-time director's plea that he handled only human resources and was insulated from financial affairs. The Court held that the duty of care imposes a legal obligation on directors to be diligent in supervising and managing the company; a director cannot compartmentalise away the board's collective oversight responsibility.

Chairperson and the Board Anchor

Sub-regulation (3) provides that the chairperson of the Risk Management Committee shall be a member of the board of directors. This is a structural insistence that the committee is led from the board, not from the executive line. The chairperson's board membership ensures that risk findings carry board authority and a direct conduit back to the full board, and that the person steering the committee owes the fiduciary and statutory duties of a director rather than merely the contractual loyalties of an employee.

The regulation also contemplates that senior executives of the listed entity may serve as members, so that domain expertise on operational, technological and sectoral risk is available within the committee. But the leadership and the majority remain with the board, preserving the committee's independence from the very management whose risk-taking it is meant to scrutinise. The architecture parallels the chairing rules SEBI applies across governance committees discussed in our note on specific listing obligations for equity.

Meetings and the 210-Day Gap

Sub-regulation (3) of Regulation 21 requires the Risk Management Committee to meet at least twice in a year. The cadence is reinforced by a spacing rule: not more than 210 days shall elapse between any two consecutive meetings. This 210-day ceiling is the product of the 14 June 2023 amendment, which relaxed the earlier 180-day cap introduced in 2021. The change gives entities marginally more scheduling flexibility while preserving the core principle that risk oversight cannot lapse into an annual ritual — two engagements a year, reasonably spaced, are the floor.

The minimum of two meetings is a meaningful discipline. Read with the Part D charter requiring the committee to monitor and evaluate evolving risks and to keep the board informed, the cadence ensures that risk is revisited at least half-yearly against a moving landscape. A committee that meets once and ticks a box would fall short of both the letter of sub-regulation (3) and the supervisory standard the courts expect of those charged with oversight.

The relaxation from 180 to 210 days deserves a word of caution for the exam. The relaxation widens the permissible spacing; it does not reduce the minimum number of meetings, which remains two. Candidates frequently confuse the meeting frequency (twice a year) with the audit committee's quarterly cadence; the two committees operate on different rhythms, and Regulation 21's standard is the half-yearly floor with the 210-day cap, not a quarterly one. The practical effect of the 210-day ceiling is that an entity cannot bunch both meetings into a single quarter and then leave risk unattended for the remainder of the year; the two sittings must be spread so that no seven-month stretch passes without the committee convening.

Quorum Requirements

Sub-regulation (3) prescribes the quorum for a meeting of the Risk Management Committee as either two members or one-third of the members of the committee, whichever is higher, including at least one member of the board of directors in attendance. The formula scales with the size of the committee: for a small three-member committee the quorum is two; for a larger committee, one-third must be present.

The non-negotiable element is the presence of at least one board member. A meeting attended only by senior executives, however well-informed, cannot transact valid business; the board's oversight anchor must be physically engaged. This guards against the risk that the committee degenerates into a management briefing and ensures that the directors who bear ultimate accountability are genuinely seized of the risk picture. The quorum rule is therefore not a formality but the practical guarantee that Regulation 21's board-centric design is honoured in every sitting.

Role of the Board and Delegation

Sub-regulation (4) makes clear that the board of directors must define the role and responsibility of the Risk Management Committee and may delegate to it the monitoring and reviewing of the risk management plan, together with such other functions as the board may deem fit — including, specifically, cyber security. The drafting is significant: cyber risk is singled out by name, signalling SEBI's recognition that information-security failures are now an existential category of enterprise risk for listed companies.

But delegation is bounded. The same sub-regulation provides that the role and responsibilities of the committee shall mandatorily include the performance of the functions specified in Part D of Schedule II. In other words, the board has latitude to add to the committee's remit but no liberty to subtract from the statutory minimum. This floor-and-ceiling design — a fixed Part D core that the board may enlarge but never dilute — tracks the disclosure philosophy explained in our chapter on the principles governing disclosures.

Part D of Schedule II: The Mandatory Charter

Part D of Schedule II is the substantive heart of Regulation 21. It enumerates the functions the committee must perform, and the board cannot contract out of them. In summary, the committee must: (1) formulate a detailed risk management policy setting out a framework for identifying internal and external risks — specifically including financial, operational, sectoral, sustainability (particularly ESG-related), information and cyber-security risks, or any other risk the committee may determine; (2) prescribe measures for risk mitigation, including systems and processes for internal control of identified risks and a business continuity plan; (3) ensure that appropriate methodology, processes and systems are in place to monitor and evaluate risks associated with the business; (4) monitor and oversee implementation of the risk management policy, including evaluating the adequacy of risk-management systems; (5) periodically review the risk management policy, at least once in two years, including by considering the changing industry dynamics and evolving complexity; (6) keep the board informed about the nature and content of its discussions, recommendations and actions to be taken; and (7) review the appointment, removal and terms of remuneration of the Chief Risk Officer (if any).

The inclusion of ESG and sustainability risk in the identification framework dovetails with the Business Responsibility and Sustainability Reporting (BRSR) obligations imposed on the same top-tier entities, while the express reference to a business continuity plan reflects post-pandemic regulatory thinking on operational resilience.

Two features of Part D repay close attention. First, the list of risk categories is illustrative, not exhaustive — it closes with the phrase capturing any other risk the committee may determine, so the committee cannot defend a blind spot by pointing out that the relevant risk was not named. Second, the biennial review obligation is a minimum, not a permission to leave the policy untouched for two years; the committee is expected to refresh the policy whenever industry dynamics or the entity's risk profile materially change. The drafting thus combines a hard outer limit (review at least once in two years) with an implicit continuous-monitoring duty discharged through the at-least-twice-yearly meetings. Together these features make Part D a living charter rather than a static checklist, and they explain why a committee that adopts a policy once and never revisits it would breach the regulation even if it formally met the meeting and quorum requirements.

The Chief Risk Officer Interface

Part D contemplates that a listed entity may appoint a Chief Risk Officer (CRO), and where it does, the appointment, removal and terms of remuneration of that officer are subject to review by the Risk Management Committee. This insulates the CRO from being summarily silenced or sidelined by the very executives whose risk-taking the CRO is meant to challenge — a structural protection analogous to the safeguards the audit committee provides to internal and statutory auditors.

The CRO interface answers a practical governance problem: a risk officer who reports solely to, and can be fired solely by, the chief executive lacks the independence to deliver unwelcome news. By routing the CRO's tenure and pay through a board-majority committee, Regulation 21 gives the risk function a measure of organisational backbone. The committee thus operates at two levels — setting policy and monitoring risk on the one hand, and protecting the independence of the officer who runs the day-to-day risk function on the other.

Powers of the Committee

Regulation 21 arms the Risk Management Committee with the investigative powers it needs to be effective. The committee shall have powers to seek information from any employee, obtain outside legal or other professional advice and secure attendance of outsiders with relevant expertise, if it considers it necessary. These powers mirror those vested in the audit committee and are deliberately broad.

The right to summon any employee means no manager can stonewall the committee on grounds of seniority or confidentiality within the organisation. The right to retain external advisers ensures the committee is not captive to in-house assessments — it can commission an independent cyber-security audit, a sectoral risk review or a legal opinion on regulatory exposure. The right to secure attendance of outside experts allows the committee to bring specialist knowledge into the room when the risk in question outstrips the directors' own competence. Together these powers convert the committee from an advisory body into an organ with genuine reach into the company's information and expertise.

These powers are also the practical answer to the supervisory standard the courts demand. A director cannot plead that he did not know of a risk if the committee on which he sat possessed the power to summon the relevant employee, commission an external review, or call in an expert and simply chose not to exercise it. The vesting of investigative powers, in other words, raises the bar of expected diligence: the committee is presumed to have the means to inform itself, and a failure to use those means is itself a failure of oversight. This is the institutional translation of the duty of care articulated in Official Liquidator, Supreme Bank Ltd. v. P.A. Tendolkar — the obligation not to shut one's eyes to what the means at one's disposal would readily reveal.

Relationship with the Companies Act, 2013

Regulation 21 does not operate in a vacuum; it overlays a statutory baseline in the Companies Act, 2013. Section 134(3)(n) requires every company's board report to include a statement indicating the development and implementation of a risk management policy, identifying elements of risk which in the board's opinion may threaten the existence of the company. Section 177(4)(vii) requires the audit committee to act on terms of reference that include evaluation of internal financial controls and risk management systems.

The result is a layered regime. For most companies the Companies Act demands a risk policy and audit-committee evaluation, but not a separate committee. For the top 1000 listed entities and HVDLEs, Regulation 21 escalates the requirement to a dedicated, board-majority Risk Management Committee with a mandatory Part D charter. There is necessarily some overlap with the audit committee's risk-evaluation function, which is why Part D's coordination expectation matters — the two committees must avoid working at cross-purposes. Our chapter on the common obligations of listed entities situates these committee duties within the wider compliance calendar.

Consequences of Non-Compliance

Failure to constitute the committee, to maintain its prescribed composition, to hold the required meetings, or to honour the quorum is a breach of the listing regulations and attracts SEBI's standardised enforcement machinery. SEBI's circular prescribing a uniform structure of fines for non-compliance with the corporate-governance provisions treats deficiencies in committee constitution — including the Risk Management Committee — as a fine-as-first-resort default, with the stock exchanges levying a fixed per-day penalty (on the order of Rs. 2,000 per day of non-compliance) and escalating to moving the scrip to a restricted category, suspension of trading, and ultimately compulsory delisting where default persists.

Beyond the listing penalties, the deeper exposure is to the directors personally. As N. Narayanan v. SEBI and Official Liquidator, Supreme Bank Ltd. v. P.A. Tendolkar together establish, directors who treat oversight committees as decorative cannot later disclaim responsibility for the risks those committees were meant to catch. A committee that exists on paper but never meaningfully evaluates risk offers no shield; if anything, it evidences awareness of the obligation and its breach. Compliance with Regulation 21 is therefore not merely a listing formality but part of the directors' broader duty of supervision under both SEBI law and company law.

Practical Takeaways for the Exam and the Boardroom

For examination purposes, the load-bearing facts of Regulation 21 are: applicability to the top 1000 listed entities (by preceding-year market capitalisation) and HVDLEs; minimum three members with a board majority and at least one independent director (two-thirds independent where SR shares exist); a board-member chairperson; at least two meetings a year with a maximum 210-day gap; quorum of two members or one-third, whichever is higher, with at least one board member present; and a mandatory Part D charter covering financial, operational, sectoral, ESG, information and cyber-security risk, business continuity, biennial policy review and CRO oversight.

For the boardroom, the practical message is that Regulation 21 codifies the structure but the substance is in the doing: a committee that maps risk against a changing landscape, protects the independence of the risk function, and feeds candid assessments back to the full board. To revise the surrounding framework, return to our SEBI LODR notes hub and the chapter on introduction, scope and definitions.